Skip to content

Latest commit

 

History

History
142 lines (116 loc) · 6.34 KB

README.md

File metadata and controls

142 lines (116 loc) · 6.34 KB

Ansible Roles - Automatic Updates

What is this?

  • A set of Ansible roles for CentOS and Debian hosts that provides users with the option to enable and/or remove automatic updates for packages installed.
  • For reference, below is a demonstration of how the directory structure of backups will look like after a number of debian_automatic_updates.yaml and centos_automatic_updates.yaml playbook runs at different time intervals.
# CentOS
.
└── <INVENTORY_HOSTNAME_001>
    ├── 2021-07-25T22:34:13Z-CentOS-8.4
    │   └── automatic.conf
    ├── 2021-07-25T22:35:33Z-CentOS-8.4
    │   └── automatic.conf
    └── 2021-07-25T22:37:20Z-CentOS-8.4
        └── automatic.conf

# Debian
.
└── <INVENTORY_HOSTNAME_002>
    ├── 2021-07-25T22:34:21Z-Debian-10
    │   ├── 20auto-upgrades
    │   ├── 50unattended-upgrades
    │   └── listchanges.conf
    ├── 2021-07-25T22:35:42Z-Debian-10
    │   ├── 20auto-upgrades
    │   ├── 50unattended-upgrades
    │   └── listchanges.conf
    └── 2021-07-25T22:37:27Z-Debian-10
        ├── 20auto-upgrades
        ├── 50unattended-upgrades
        └── listchanges.conf

Resource Requirements

Dependencies

  • dnf-automatic, unattended-upgrades, apt-listchanges
  • ansible-vault - [optional] - can be used in the debian_ssh.yaml or centos_ssh.yaml playbook to encrypt and store sensitive data "at rest".
    • In this use case, the ansible_sudo_password variable, which is used as the privilege escalation password, is stored in a vault.
    • Once the secret has been created and added to the playbook, in order for a user be able to become sudo to run the playbook, they will need to decrypt the vault to access the variable.
    • This can be achieved by passing one of the following flags listed below when executing the the playbook;
      • --ask-vault-pass
      • --vault-password-file
    • Below is a demonstration of how the encrypted variable is defined in the playbooks;
---
# playbook for the debian_automatic_updates role.
- hosts: debian_hosts
  # vars_files:
  #   - become-secret
  become: true
  roles:
    - debian_automatic_updates

Supported Distributions

  • Tested on;
    • debian-10 , centos-8-stream

Quick-start & Usage

# clone the repository
$ git clone [email protected]:hubvu/automatic-updates-ansible.git

# navigate into the directory
$ cd automatic-updates-ansible/

# run the master playbook `site.yaml` with verbosity
# for non Ansible Vault users
$ ansible-playbook site.yaml \
  --inventory-file=hosts \
  --ask-become-pass \
  --verbose

# run the master playbook `site.yaml` with verbosity
# for Ansible Vault users
$ ansible-playbook site_remove.yaml \
  --inventory-file=hosts \
  --ask-vault-pass \
  --verbose

# review the `backups` directory for the configuration files of each host
$ ls /roles/<role_name>/files/backups/<inventory_hostname>/<date_time>-<distribution_name>-<distribution_version>/

Contributing

  • Contribution guidelines for this project can be found in the Contributing document.

Acknowledgements

License